Cyber Security: What's right for your organization?
Dr. Wendy Ng
Oct. 20, 2020
The Board gathers in a room in a pensive mood. Everyone is fully aware that they must protect their infrastructure estate and critical data. However, the question of whether these are adequately protected, is causing our C-suite sleepless nights. Additional questions include:
- Is our operational environment secure?
- Have we got ‘enough’ security?
- Are we protecting the right assets?
- Which security solutions will best fill our current gaps?
- Would layered defense help us?
- Are we spending too much, too little, or just the right amount?
A strategy is the foundation of a cyber security program; however, the implementation is key. The following recommendations should improve our leadership’s sleep patterns:
1. Assess the current operational environment.
Questioning whether an organization is secure will rarely elicit a ‘yes’ or ‘no’ answer. This needs to be considered within an organization’s business context and risk appetite. This is especially true when trying to determine if an organization has ‘enough’ security; it is a trade-off between safeguarding business assets and limiting the business impacts of security controls.
2. Cyber defense is not a one-time solution.
New threats emerge, existing threats evolve, and attacker capability grows. Once security toolsets, capabilities and resources are in place, the business environment needs to be continuously monitored to ensure the current state is still effective and improvements are implemented as needed to mitigate any new threats.
3. To protect the right assets, maintain a full inventory of the organization’s estate.
It is quite difficult to protect unknown assets. The effects felt from a loss of access to, unauthorized disclosure of, or corruption of business-critical assets should be ranked based on their value to the organization, and should factor in legal, regulatory and contractual obligations. Obtaining clarity on the current state will be the first step in determining an organization’s security maturity. Operational processes will also have a critical role in enforcing security. It is not possible to protect everything, so categorizing and prioritizing assets based on value and criticality will help maintain focus.
4. When new toolsets and resources are needed, these must take account of the current operational environment.
Selecting cyber security solutions is not a trivial exercise; the market is filled with a wide array of products with the same apparent functionality. Organizations will have existing infrastructure, systems, operational capabilities and business processes that need to be factored into the selection process. Historically, the operational environment may not have been designed with security in mind, often with no input from the security architecture team. By the time a security architect makes first contact with the business, an organization may have undergone multiple rounds of mergers and acquisitions, spin-offs or reorganizations.
If part of an organization has already implemented security solutions that have been proven to be effective, it tends to be less disruptive and more efficient to the business to expand and augment that solution across the wider organization. It will still be necessary to regularly assess security solutions to ensure they remain suited to business requirements.
5. Implement a layered defense approach, with the most valuable assets protected by more layers.
Implementing multiple protective layers will make an environment more challenging for attackers to penetrate, and require them to bypass multiple controls before they can reach their target. No defense is infallible, so even if some of the controls fail, there are other layers of resistance in place to either prevent an attack or provide defenders with sufficient time to detect an attack.
6. Resist the shiny objects.
It is always tempting to spend on new ‘toys’ and request additional resources, but no organization has unlimited resources for cyber security. Value from the existing toolset and resources should be maximized first. The resources spent on protection should be in proportion to the value of the assets they are safeguarding. Security toolsets and resources should also be reviewed regularly to ensure they continue to meet business and security requirements. This disciplined approach will provide structure and visibility, which will go a long way to ensure the right amount of security resources are in place.
For our board, unfortunately there is no prescriptive answer on the right solution to protect an organization in the modern world. Along the way, difficult decisions will need to be made and there may be no straightforward answers; however, the above steps should help our C-suite rest easier.
Progress on all fronts will help an organization’s ability to recover from an incident. Cyber resilience must be considered as part of an organization’s security strategy. In the event of a breach, organizations need to ensure they are prepared to deal with the consequences. Recent incidents have shown that a prepared and orderly response will boost market and regulator confidence, and strengthen client loyalty.